Compare
ThreatDown (by Malwarebytes) is a cloud-managed endpoint protection and EDR platform — real-time malware blocking, behavioral EDR, signature Ransomware Rollback, and an optional 24/7 managed (MDR) service, sold per endpoint. WinSentinel eliminates the misconfigurations attackers exploit before any malware runs — auditing and hardening Windows, then scoring it — for free and fully local. Harden first, then let the EDR catch what's left.
| Capability | WinSentinel | ThreatDown |
|---|---|---|
| Primary Function | Proactive hardening & posture scoring | Endpoint protection + EDR/MDR |
| Approach | Prevent — close attack surface before breach | Detect & remediate — stop malware at runtime |
| Security Posture Score | ✓ 0–100 across 33 audit modules | ✗ No Windows configuration posture score |
| Configuration Hardening | ✓ Auto-remediation with dry-run preview | ✗ Not a Windows config-hardening tool |
| Malware / Ransomware Detection | Preventive (removes attack paths) | ✓ Real-time AV + Ransomware Rollback |
| Behavioral EDR / Threat Hunting | ✗ Not an EDR | ✓ EDR on Advanced tier and above |
| Managed MDR / SOC | ✗ Self-service, no analysts | ✓ 24/7 MDR on Elite / Ultimate |
| Open Source | ✓ MIT licensed, full source on GitHub | ✗ Proprietary, closed-source agent |
| Cloud Dependency | ✓ Fully local — no cloud required | Managed from the Nebula / OneView cloud console |
| Setup Time | 30 seconds (dotnet tool install) | Console setup + agent deployment |
| Windows-Specific Depth | ✓ 33 modules (registry, GPO, SMB, LLMNR, etc.) | Malware-focused, not config benchmarks |
| Compliance Mapping | ✓ CIS, SOC 2, HIPAA, Essential 8 | Reporting, not config benchmark mapping |
| CI/CD Integration | ✓ GitHub Action + SARIF output | ✗ Runtime AV/EDR, not CI/CD friendly |
| Agent Footprint | ~5 MB CLI, runs on demand | Always-on protection + management agent |
| Cross-Platform Coverage | Windows-only by design | ✓ Windows, macOS, Linux, ChromeOS, mobile |
| Best Fit | Any team that wants to harden Windows itself | ✓ SMBs & MSPs needing managed EDR/MDR |
$0/forever
All 33 audit modules, real-time monitor, scheduled scans, PDF reports — no limits on one machine.
Pro fleet: $29/25 nodes · $79/100 nodes
Per endpoint/year
Annual subscription per endpoint across bundles — Core (EP), Advanced (adds EDR + Ransomware Rollback), Elite (adds 24/7 MDR), Ultimate (adds DNS filtering) — commonly ranging from roughly $69 to $119 per endpoint per year.
EP · EDR · MDR · Ransomware Rollback
No configuration hardening. ThreatDown scans for and blocks malware — it doesn't audit your Windows registry, GPO settings, firewall rules, or SMB configuration. If LLMNR is enabled, SMBv1 is on, or BitLocker is off, the EDR agent won't fix your config.
No posture scoring. You can't get a single number representing your machine's configuration hygiene, or track "you improved from 67 to 84 this month." ThreatDown reports detections and incidents, not how the OS is set up.
No proactive prevention of misconfiguration. Its model is detect-and-remediate malicious code, with rollback after the fact. WinSentinel closes the doors and windows — disabled legacy protocols, enforced policies, locked-down accounts — before any payload ever lands.
No local-only / self-service config audit. ThreatDown is administered from the Nebula (or OneView) cloud console with per-endpoint licensing; you can't run a one-shot, air-gapped configuration audit with no account or agent enrollment. WinSentinel runs entirely on the machine, free, with no account.
No CI/CD pipeline fit. You can't run the ThreatDown EDR agent inside a GitHub Action to verify your Windows image is hardened before it ships. WinSentinel gates your build with --audit --sarif and uploads to GitHub code scanning.
WinSentinel reduces your attack surface by 60–80% before ThreatDown's engine ever fires. Fewer open ports, disabled legacy protocols, enforced policies, encrypted volumes — fewer footholds for malware to land, and a cleaner baseline for ThreatDown to defend and roll back.
dotnet tool install --global WinSentinel.Cli winsentinel --audit --score
No - they solve different problems and work well together. ThreatDown (by Malwarebytes) is an endpoint protection and EDR/MDR platform: it scans for malware, blocks ransomware, rolls back damage, and (on higher tiers) gives you 24/7 managed detection and response. WinSentinel eliminates the misconfigurations attackers exploit before any malware runs - it audits and hardens Windows configuration (registry, GPO, firewall, SMB, BitLocker, accounts) and scores your posture. Harden with WinSentinel, detect and remediate malware with ThreatDown.
No. WinSentinel is a configuration-hardening and posture tool, not an antivirus and not an EDR. It does not scan files for malware signatures, sandbox executables, or watch process behavior at runtime. It audits how Windows is configured and fixes the misconfigurations a signature/behavior engine like ThreatDown will never flag - things like SMBv1 being on, LLMNR enabled, BitLocker off, or local admin sprawl.
WinSentinel is free for unlimited use on a single machine. ThreatDown is sold per endpoint on an annual subscription across bundles (Core for endpoint protection, Advanced which adds EDR and Ransomware Rollback, Elite which adds 24/7 managed detection and response, and Ultimate which adds DNS filtering), commonly ranging from roughly $69 to $119 per endpoint per year. WinSentinel Pro - which adds fleet management across many machines - is $29/mo for up to 25 nodes or $79/mo for up to 100 nodes, with annual billing saving 17%.
No - and that is the point. ThreatDown's strength is its malware engine: real-time protection, behavioral EDR, and a signature ransomware rollback that reverts encrypted files. WinSentinel does not duplicate that; it removes the attack surface those threats need - disabled legacy protocols, enforced policies, locked-down accounts, encrypted volumes - so there is less for the EDR to catch in the first place. They are complementary layers, not substitutes.
No. WinSentinel runs fully local - the CLI audits the machine it runs on and keeps all data on that machine, with no account, no agent enrollment, and no cloud connectivity required. ThreatDown is administered from the cloud Nebula console (or OneView for MSPs) where each endpoint's agent reports in. WinSentinel's optional Pro control plane is opt-in and only for organizations that want fleet management.
Yes. The CLI and every audit module are free and open source under the MIT license, installed with dotnet tool install --global WinSentinel.Cli. A single machine gets the full power - all audit modules, the real-time monitor, scheduled scans, and PDF reports - with no limits and no account required. Pro is only for organizations that want to manage many machines from one control plane.
Yes. WinSentinel is built specifically for Windows 10 and Windows 11 (and Windows Server). It uses native Windows APIs to audit configuration that cross-platform agents treat generically, which is why its hardening checks are deeper on Windows. ThreatDown protects Windows, macOS, Linux servers, ChromeOS and mobile from one console, but it does not provide a Windows configuration posture score or one-click config remediation.
Yes. WinSentinel is a lightweight CLI that reads Windows configuration and applies opt-in fixes on demand - it is not an always-on antivirus, does not install a real-time scanning driver, and does not hook process execution, so it runs cleanly next to the ThreatDown agent or any other AV/EDR. Hardening with WinSentinel reduces the number of incidents ThreatDown's detections and analysts have to handle.